04:38:54 sarang: From page 51 of Zero to Monero 2.0 https://imgur.com/ICl3Eyv so the private key of the commitment to zero is used in the signature. But the key image of the commitment to zero is not used when linking two sets of key images. Is this correct? 05:04:58 The footnote 8 on page 51 says https://imgur.com/4H0d54j so the signature omits the commitment to zero 05:13:39 omitting them only during linking two signatures might be more elegant no? 08:03:25 It isn't needed in the signature unless you want to link 13:19:52 maybefbi: it would be quite a bit more expensive for verification to also have key images for commitments to zero 13:20:33 hmm true 13:29:28 if i rebuilt monero i will include it in the signature, because then it proves alice knows the z, the private key of the commitment to zero to the onlookers who dont know any view keys or such. even if i include the key image of the commitment to zero in the linking it wont cause problem because transaction public key rK is unique because r is chosen from a CPRNG. it is unlikely it will create a duplicate r and cause unwanted linkage of k 13:29:31 ey images 13:33:48 There is no need, even though the key image part is excluded the normal key part IS included, so you always sign and prove knowledge of z 13:34:47 The challenge is like H(..., Ko, Ko key image, commitment to zero) 13:37:46 The whole innovation with CLSAG is it lets you squish the signature into a smaller faster version because the commitment to zero doesn’t require a key image/linking 13:38:08 yeah i agree CLSAG is definitely better. 13:38:20 it is as lean as it can be with schemes like this 13:38:31 more or less yes 13:38:51 only that primary keypair use can be linked 13:39:58 to be frank im trying to make a DLSAG version of monero after i understand monero. i already have an MDLSAG. But CDLSAG is hard. i cant get it to work 13:42:17 i still havent gotten around to doing commitments inside an MDLSAG. perhaps i will need two commitments and two pseudo commitments 13:43:31 isn’t there some kind of flaw with DLSAG? 13:43:50 yes it needs self sign at getting money 13:43:58 *after getting money 13:44:15 not aware of any other flaws 15:15:07 It is true that it should be possible to "CLSAGify" DLSAG, as was mentioned in the original preprint 15:15:23 We just never bothered to work it out with the security proofs yet, because the self-spend issue was so onerous a requirement 15:16:07 But yeah, the whole CLSAG idea is just that you can squish the components together with some careful weighting inside the hash challenges... and you pay for it by carrying around key images for each component, even if you don't use them for linking 15:16:25 At that point, the "extra" key image(s) is/are only to make the algebra work 15:18:01 (there are applications to something like 3-CLSAG, like hidden timelocks)